[Debian-med-packaging] Bug#1078176: bookworm-pu: package dcm2niix/1.0.20220720-1+deb12u1

Étienne Mollier emollier at debian.org
Wed Aug 7 22:24:50 BST 2024 

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: dcm2niix at packages.debian.org
Control: affects -1 + src:dcm2niix
User: release.debian.org at packages.debian.org
Usertags: pu

Aloha,

[ Reason ]
dcm2niix is affected by minor security issue CVE-2024-27629 in
bookworm: a local attacker can execute arbitrary code as the
generated file name is not properly escaped and injected into a
system call when certain types of compression are used.

[ Impact ]
dcm2niix will remain vulnerable to this issue is the upload is
not granted.

[ Tests ]
I stressed the vulnerability and found out it was affecting the
current version in bookworm.  I could then make sure that the
existing change in sid did prevent the risk of arbitrary code
execution, after applying the relevant change to the dcm2niix
version in bookworm.

I also made sure that the fix for the CVE does not result in an
autopkgtest regression in the reverse dependency heudiconv.
I would have done the same for the other reverse dependency
mricron, but autopkgtest is lacking for this one apparently.

[ Risks ]
The change is only little risky.  The change is minimal, but can
have some (limited) influence on the command output, as
characters '`' and '$' are erased by '_' with the mitigation.
The package has two reverse dependencies that shown no obvious
issues with the  fix in place.

[ Checklist ]
  [*] *all* changes are documented in the d/changelog
  [*] I reviewed all changes and I approve them
  [*] attach debdiff against the package in (old)stable
  [*] the issue is verified as fixed in unstable

[ Changes ]
This change includes a patch to fix CVE-2024-27629.  The patch
consists in sanitizing the output file name by erasing backticks
or dollar characters by an underscore before handing the output
file name to the next steps of the code, which may involve some
parsing by a shell.

[ Other info ]
Have a nice day,  :)
-- 
  .''`.  Étienne Mollier <emollier at debian.org>
 : :' :  pgp: 8f91 b227 c7d6 f2b1 948c  8236 793c f67e 8f0d 11da
 `. `'   sent from /dev/pts/2, please excuse my verbosity
   `-    on air: Kaipa Da Capo - Det Tysta Guldet
-------------- next part --------------
diff -Nru dcm2niix-1.0.20220720/debian/changelog dcm2niix-1.0.20220720/debian/changelog
--- dcm2niix-1.0.20220720/debian/changelog	2022-08-12 17:21:12.000000000 +0200
+++ dcm2niix-1.0.20220720/debian/changelog	2024-08-07 21:49:01.000000000 +0200
@@ -1,3 +1,11 @@
+dcm2niix (1.0.20220720-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload.
+  * CVE-2024-27629.patch: new: fix risk of arbitrary code execution.
+    Fixes: CVE-2024-27629 (Closes: #1074534)
+
+ -- Étienne Mollier <emollier at debian.org>  Wed, 07 Aug 2024 21:49:01 +0200
+
 dcm2niix (1.0.20220720-1) unstable; urgency=medium
 
   [ Andreas Tille ]
diff -Nru dcm2niix-1.0.20220720/debian/patches/CVE-2024-27629.patch dcm2niix-1.0.20220720/debian/patches/CVE-2024-27629.patch
--- dcm2niix-1.0.20220720/debian/patches/CVE-2024-27629.patch	1970-01-01 01:00:00.000000000 +0100
+++ dcm2niix-1.0.20220720/debian/patches/CVE-2024-27629.patch	2024-08-07 21:11:41.000000000 +0200
@@ -0,0 +1,24 @@
+Description: Prevent shell expansion.
+ This fixes CVE-2024-27629.
+Author: Daniel Santos
+Bug: https://github.com/rordenlab/dcm2niix/pull/789
+Bug-Debian: https://bugs.debian.org/1074534
+Reviewed-by: Étienne Mollier <emollier at debian.org>
+Applied-Upstream: https://github.com/rordenlab/dcm2niix/commit/51cf5cdb2b2044b22b93f251bd07695e84d456af
+Last-Update: 2024-08-07
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- dcm2niix.orig/console/nii_dicom_batch.cpp
++++ dcm2niix/console/nii_dicom_batch.cpp
+@@ -3293,6 +3293,11 @@
+ 		if (outname[pos] == ':') //not allowed by MacOS
+ 			outname[pos] = '_';
+ #endif
++#if !defined(_WIN64) || !defined(_WIN32)
++       for (size_t pos = 0; pos < strlen(outname); pos++)
++               if (outname[pos] == '`' || outname[pos] == '$') // unix shell expansion characters
++                       outname[pos] = '_';
++#endif
+ 	cleanISO8859(outname);
+ 	//re-insert explicit path separators: -f %t/%s_%p will have folder for time, but will not segment a protocol named "fMRI\bold"
+ 	for (int pos = 0; pos < (int)strlen(outname); pos++) {
diff -Nru dcm2niix-1.0.20220720/debian/patches/series dcm2niix-1.0.20220720/debian/patches/series
--- dcm2niix-1.0.20220720/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ dcm2niix-1.0.20220720/debian/patches/series	2024-08-07 21:05:34.000000000 +0200
@@ -0,0 +1 @@
+CVE-2024-27629.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20240807/06ffdfb0/attachment.sig>

More information about the Debian-med-packaging mailing list